Observations on articles I read to keep current about technology. My interests are: Privacy, security, business, the computer industry, and geeky stuff that catches my eye.

I don't think I have an agenda beyond my own amusement.

Note that I lump all my comments into a single post. This is not a typical BLOG technique, It's just an indication that I'm lazy.

Saturday, December 26, 2015

Should we assume that TSA has discovered a major
flaw in their pat-down procedure? Perhaps they are merely trying to
justify spending all that money on a technology that wasn't being
used? (Yeah, you challenge them. I'm walking.)

Passengers required by the Transportation Security
Administration (TSA) to submit to a body scan can legally refuse,
according to Marc Rotenberg, President of the Electronic Privacy
Information Center (EPIC).

… On Friday, without notice, the
Transportation Security Authority (TSA) implemented new procedures
for airport security screening. TSA had been, until Friday, using a
screening procedure that consisted of either an AIT body scan or a
pat-down scan, at the passenger’s option. The legality
(that is, constitutionality) of the security procedure encompassing a
passenger’s option to choose an AIT scan or a pat-down scan was
affirmed by the D.C. Court of Appeals in 2012, in the EPIC v DHS
case mentioned above.

… What is different in the new security
procedures is that TSA made the body scans mandatory for some people

… Class Central has released its report
on 2015 MOOC enrollment: “The MOOC space essentially doubled this
year. More people signed up for MOOCs in 2015 than they did in the
first three years of the modern MOOC space’s existence.”

… Via
Boing Boing: “In Texas, a 12 year old Sikh boy was arrested for
‘terrorism’ over a solar charger.”

Friday, December 25, 2015

Ten months after a major hack into taxpayer
information at the IRS, the Treasury Inspector General for Tax
Administration says the IRS is still working on bolstering its
Internet sign-in procedures.

Initially the IRS had said last May that more than
100,000 taxpayer records had been stolen. But then in August it
tripled that estimate to 334,000.
The IRS says hackers had made an estimated 615,000 attempts to break
in, for a success rate of more than 50%.

… The IRS moved to close the gaps in this
application starting last spring, and is now trying to come up with
more secure sign-on procedures for taxpayers so they can access their
tax information, says the new
watchdog report.

The watchdog’s findings come as more
than eight out of ten taxpayers use websites to get information about
their tax payments, the IRS says.[Sounds
high to me. Bob]

The Office of the Director of National
Intelligence (DNI) released a handful of sensitive documents Thursday
morning dealing with terrorism suspect Anwar al-Awlaki and the
terrorist attacks in Benghazi, Libya.

The Christmas Eve document dump includes 16
pages of heavily blacked-out emails about the events surrounding
the 2012 terrorist attack on a U.S. diplomatic compound in Benghazi
that killed four Americans.

… The
documents were released as part of a “proactive
disclosure” under the Freedom of Information Act. The
government and public relations firms have been known to release
unflattering information around major holidays or weekends to blunt
the news effect.

Sometimes words in an article just jump out at me.
I wonder what other hacks are possible?

… Among the new safety features for the 2016
BMW 7 Series is an update to the adaptive cruise control designed to
help drivers stick to posted speed limits. Using data from the
navigation system and cameras
that read traffic signs, the car prompts the driver when
the speed limit is about to change.

… Speedy drivers can preselect by how much
they’d like the system to automatically
exceed the speed limit, up to 15 km/h (9.3 mph) over.

Hyatt’s notice
to customers has very few details about the investigation, such
as how long the breach lasted or how many consumers may have had
their card data stolen as a result. Hyatt did say that it has taken
steps to strengthen its systems, and that “customers can feel
confident using payment cards at Hyatt hotels worldwide.”

Yesterday morning, some of were following up on a
ProPublica
report about a New Jersey clinic who, when suing patients for
overdue accounts, included their diagnostic codes in materials sent
to their collection agency. Those records – containing the
patients’ names, diagnostic codes, and treatment codes – became
part of public court records.

There were some interesting questions raised by
the case. The Short Hills Associates in Clinical Psychology provides
its patients with its notice of privacy practices, but when an
aggrieved patient filed a complaint with HHS over the disclosure of
his diagnostic code, OCR closed the case without action because
the clinic – using paper records for transactions – was not a
HIPAA-covered entity.

But what about the collection agency? If the
clinic was not a HIPAA-covered entity, was the collection then not a
Business Associate under HIPAA? At first blush, it might seem
unreasonable to think that they could still be a business associate
and subject to HIPAA’s restrictions on only disclosing what is
necessary to obtain payment.

But Texas attorney Jeff Drummond raised some very
interesting points in our discussion, including one that if
the collection agency was a BA for any other entity, then they might
be covered by HIPAA to protect all clients’ patient records.

Jeff has blogged about the issues raised by this
case on HIPAA
Blog. It’s a post – and interpretation of HIPAA – that I
found surprising, to say the least. I would love to see a panel
discuss this issue at a conference. In the meantime, I may shoot a
link to it over to HHS to ask for their reaction.

In the meantime, go read Jeff’s post.

Is the FAA encouraging more restrictions or
looking for better wording?

December 17, 2015 – “The Federal Aviation
Administration’s (FAA) new
fact sheet on state and local regulation of unmanned aircraft systems
(UAS) provides information for states and municipalities considering
laws or regulations addressing UAS use. The document outlines FAA’s
safety reasons for federal oversight of aviation and airspace, and
explains federal responsibility in this area. The fact sheet
provides examples of state
and local laws affecting UAS for which consultation with
the FAA is recommended, such as restrictions on flight altitude or
flight paths, regulation of the navigable airspace, and mandating
UAS-specific equipment or training. The fact sheet also gives
examples of UAS laws likely to fall within state and local government
authority, such as requirements for police to obtain a warrant prior
to using UAS for surveillance; prohibitions on the use of UAS for
voyeurism; exclusions on using UAS for hunting or fishing, or
harassing individuals engaged in those activities; and prohibitions
on attaching firearms or other weapons to a UAS.”

So you don't have to get x-rayed, unless you do.
Can you then opt-out? Probably not.

… Now the Advanced Imaging Technologies (AIT)
using Automatic Target Recognition (ATR) will be mandatory in certain
cases. Slashgear
notes that prior to this the scanners were opt-in, and one could
go through a contactless, non-imaging scan instead. That option will
exist, but security agents
can insist on mandatory screening "for some passengers."The
argument the DHS gives (PDF) is that these scanners are more
capable of detecting prohibited, non-metallic items that could
be hidden under a few layers of clothing than a metal detector
wand would be.

LexisNexis Business of Law Blog: “White papers
are a place for deep thinking – deep thinking that is data-driven.
Combine that data with innumerable client engagements, from small law
firms to large – and from corporate legal departments to legal
services bureaus – and we’re able to chronicle insights for the
market in neatly packaged white papers. As part of our 2015
roundup series, here’s
an at-a-glance listing of many of the white papers we’ve publish
this year.”

NEW DELHI: Social media giant Facebook has started
an aggressive campaign in India to gather public support for its free
internet platform 'Free Basics.'

… The Telecom Regulatory Authority of India
(Trai) has asked RCom to keep the service in abeyance till there is a
decision on its consultation process around differential pricing of
data by operators is sorted out. The last date for public comments
on Trai's paper is December 30.

… The regulator has received close to 5.7 lakh
[570,000 Bob]
comments out which over 5.5 lakh comments are through Facebook's
campaign.

I will not use this line on my students. I will
not use this line on my students. I will not use this line on my
students.

The Department of Homeland Security has arrested
and charged (PDF)
a man from the Bahamas for stealing unreleased movie/TV scripts along
with celebrities' files and sensitive information. According to The
New York Times, the 23-year-old hacker named Alonzo Knowles
contacted a radio host in an effort to sell his loot, which included
the scripts for six episodes of a hit drama currently being filmed.
When the unnamed host got in touch with Homeland Security, the agency
cooked up a sting operation and had him put Knowles in touch with an
undercover investigator posing as a buyer.

… The accused allegedly tried to sell the
agent 15 scripts
and the social security numbers of two athletes and a movie actress
for $80,000. He also showed the agent a sex tape, saying that it's
merely a "sample of things [he] can get" -- he had "more
stuff along these lines and can get more" if the buyer was
interested.

… He reportedly admitted to the undercover
agent that when it was too
difficult to hack a particular celebrity, he would look at pictures
online to see who his friends are and then hack them instead.
He'd also send fake automated text messages telling recipients that
their accounts had been hacked, and some people actually replied with
their passwords. Other times, he'd send a virus to celebrities'
computers to infiltrate their systems.

For
three years, state Department of Corrections staff knew a
software-coding error was miscalculating prison sentences and
allowing inmates to be released early. On Tuesday, Gov.
Jay Inslee gave the damning tally: up to 3,200 prisoners set free too
soon since 2002.

The problem stemmed from “good time” credits
applied to certain prison sentences, and was
discovered, according to the Corrections Department, only
after a victim’s family alerted officials in 2012 that
they might be planning to release an offender too early. Once the
broader problem was discovered, a scheduled software fix got caught
up in repeated IT delays, yet to be explained.

“That this
problem was allowed to continue to exist for 13 years is
deeply disappointing,” Inslee said. “It is totally unacceptable,
and frankly it is maddening.”

… The governor ordered the DOC to halt all
releases of prisoners whose sentences could have been affected until
a hand calculation is done to ensure offenders are being released on
the correct date. [Why not
three years ago? Bob]

But it’s easy for infosec pros to sit
back and think, ‘Thank Gawd my company isn’t such a big fat
target.’ Instead, they should remember all of the smaller breaches
that happened this year as a lesson that corporations and government
departments aren’t the only targets. Here’s just three of them:

Read more on IT
World Canada, where Solomon actually mentions a number of
incidents, including a few you may not have heard about.

Joshua Baron, Angela O’Mahony, David Manheim,
Cynthia Dion-Schwarz: “This
report examines the feasibility for non-state actors, including
terrorist and insurgent groups, to increase their political and/or
economic power by deploying a virtual currency (VC) for use in
regular economic transactions. A VC, such as Bitcoin, is a digital
representation of value that can be transferred, stored, or traded
electronically and that is neither issued by a central bank or public
authority, nor necessarily attached to a fiat currency (dollars,
euros, etc.), but is accepted by people as a means of payment. We
addressed the following research questions from both the
technological and political-economic perspectives: (1) Why would a
non-state actor deploy a VC? That is, what political and/or economic
utility is there to gain? How might this non-state actor go about
such a deployment? What challenges would it have to overcome? (2) How
might a government or organization successfully technologically
disrupt a VC deployment by a non-state actor, and what degree of
cyber sophistication would be required? (3) What additional
capabilities become possible when the technologies underlying the
development and implementation of VCs are used for purposes broader
than currency? This report should be of interest to policymakers
interested in technology, counterterrorism, and intelligence and law
enforcement issues, as well as for VC and cybersecurity researchers.”

To steal a line from Jaws, “We're gonna need a
bigger jail!” (This guy makes me look anorexic.) But wait! The
fun is not over yet!

Internet entrepreneur Kim
Dotcom and three co-defendants are eligible to be extradited to
the U.S. to face charges including criminal copyright infringement,
money laundering and conspiracy to commit racketeering, a New Zealand
court ruled on Wednesday.

… His New Zealand-based lawyer Ron Mansfield
told The Wall Street Journal that Mr. Dotcom is positive he can
succeed in the higher courts in New Zealand. “We’ve just got
through the starter’s gates, we haven’t lost the race. We remain
pretty confident.”

… Cybersecurity insurance is one of the
fastest growing sectors in the insurance market, according to the PwC
Global State of Information Security Survey 2016. A recent PwC
report forecasts that the global cyberinsurance market will reach
$7.5
billion in annual sales by 2020, up from $2.5 billion this year.

A rite of passage for new parents is
child-proofing—securing the home from threats to children. Most
experts on the subject highly recommend that parents make their way
around the house on their hands and knees in order to experience the
environment from a child’s perspective. This may be the
only way to see the threats that aren’t obvious from an adult’s
point of view.

The same is true when building security into an
application. Obviously, there are lists of common vulnerabilities
and other guidance in the form of best practices to consider.
However, to really protect
software you need to consider the hacker’s point of view of the
application. You need to think like a hacker, but act
like a security pro.

Betting on litigation. A new area for my
Statistics students to ponder?

Caterpillar
ordered to pay $73.6M to tiny British firm for stealing design

A federal jury has ordered Peoria-based
Caterpillar to pay a small British firm $73.6 million for ripping off
its design for a piece of heavy-duty construction equipment.

… Miller's victory was good news for Highland
Park-based Arena Consulting, which helped bankroll the suit in return
for a cut of the jury award.

So-called litigation financing is a growing but
controversial industry. Supporters say it levels the playing field,
allowing small-time litigants to have their day in court against
wealthy defendants, but critics say giving outside investors a stake
in the outcome of a case can skew the litigants' decision making.

… Some scholars argue nations must take a
rigorous approach to understanding how people become radicalized —
and, just as importantly, that religion itself is not the main
motivation.

A substantial number of radical Islamic terrorists
are recent converts who know surprisingly little about Islam, Olivier
Roy, a professor at the European University Institute in Italy and
well-known analyst of Islamist terrorism, said in a recent lecture,
where he attempted to lay out “a scientific perspective on the
causes/circumstances” of people joining radical groups.

… No comprehensive data exists on the
militants who have joined the Islamic State and other organizations,
but Roy has analyzed individual stories of the path to radicalization
— saying that we must first understand radicalization before we can
hope to prevent or reverse it.

… 4. Most radicals are motivated by the
desire to be a hero, to do violence or get revenge.

After over a month of speculation, more details
are beginning to emerge surrounding Amazon's rumored plan to launch
an in-house freight airline. The rumor started
with someone close to the talks posting on an online forum stating
that Amazon is working to create the world's largest overnight parcel
service within 2 years. The source stated Amazon would not buy an
existing company as it did
not want to inherit the problems so instead resorted to
launching its own operation. In this article, I go into detail about
the implications of such an operation for Amazon financially,
structurally and the risks associated with such a venture.

… Amazon has been quietly
building up sorting centers across the country, replacing work
that was previously done by FedEx and UPS

Monday, December 21, 2015

Iranian hackers infiltrated the control
system of a small dam less than 20 miles from New York City two years
ago, sparking concerns that reached to the White House, according to
former and current U.S. officials and experts familiar with the
previously undisclosed incident.

“Everything is being integrated, which is great,
but it’s not very secure,” said Cesar Cerrudo, an Argentine
researcher and chief technology officer at IOActive Labs, a
security-consulting firm. At a hacker conference last year in Las
Vegas, Mr. Cerrudo wowed the audience when he showed how he could
manipulate traffic lights in major U.S. cities.

Operators of these systems “don’t think about
security,” he said.

Not just educating employees, but keeping them
alert. What would a serious hacker do?

Terrified by a string of recent hacks,
banks are spending billions of dollars trying to fend off a faceless
army of digital intruders.

But the biggest threats may come from
within.

Banks fear a growing number of employees
are unwittingly exposing valuable information to hackers or in some
cases leaving digital clues that make a breach possible. To boost
their defenses, firms are banning workers from using portable devices
such as USB drives, warning employees to be careful what they post on
social media and even discouraging
workers from posting “out-of-office” replies on their emails.

Networking
and security company Juniper Networks revealed last week that it had
identified unauthorized
code in ScreenOS, the operating system powering the company’s
NetScreen firewalls.

… The
vulnerabilities have been analyzed by several external researchers.
Fox-IT experts said it took them just 6 hours to find
the password for the ScreenOS authentication backdoor.

After
analyzing
the differences between the vulnerable and patched versions of
ScreenOS, Rapid7’s HD Moore determined that the authentication
backdoor, which can be exploited via SSH or Telnet, involves the
default password <<<
%s(un='%s') = %u

This
backdoor password, which was presumably set this way so that it would
be mistaken for one of the many debug format strings present in the
code, can be leveraged by an attacker who knows a valid username for
the device.

On
one hand, it’s difficult to say if this vulnerability has been
exploited in the wild since even though an unauthorized access
attempt would normally be logged, it’s easy for an attacker to
delete the relevant log entries. However, as Moore has highlighted,
the logs might be sent to a centralized server, which could result in
an alert being triggered.

It's not Hillary's fault. (Bet you never expected
to see those words on this Blog) No politicians understand
technology and that's Okay. Very few politicians bother to ask the
people who do know and that's the problem.

Clueless
Hillary Clinton On Encryption, Doesn't Understand The Concept Of The
'Back Door'

… On one hand, Clinton doesn't want back
doors, but on the other, she wants law enforcement to be able to gain
access to data if needed. She seals the deal with: "I just
think there's got to be a way, and I would hope our tech companies
would work with government to figure it out." Making matters
worse she ponders, "maybe the back door is the wrong door?"

Clinton went on to say that maybe we need a
"Manhattan-like project" [Because
politicians understand spending lots and lots of money Bob]
to accomplish this goal. What she doesn't seem to realize is that
what she's effectively asking for is a back door, and as soon
as any company (or person, for that matter) deliberately punches a
hole in their product's security, it's no longer secure. Period.

Over
ten million fans tried to buy tickets to Adele's North American tour

… When tickets for Adele's North American tour
went on sale Wednesday morning, the virtual box office was literally
crushed when over ten million fans rushed the site. Up for
grabs were some 750,000 tickets for her 25 album tour across
the continent.

… Just how unprecedented was the demand?
Ticketmaster says that the ten million-plus figure represents an
"all-time record," and according to Billboard's
source, over four million tried to buy tickets for the six shows in
New York City alone. Perhaps the craziness isn't so surprising
considering sales of Adele's 25, which crushed
all single-week records.

Perspective. Another of those “Year End”
articles. Some charts are interesting even to me.

Sunday, December 20, 2015

Interesting, but it seems to perpetuate the
fallacy that Healthcare requires unique security tools or techniques.
Why does that not surprise me? 90 days to create a new bureaucracy,
look at other industries rather than your own needs, get the taxpayer
to give them all that for free – how typical.

The legislation creates a healthcare
industry cybersecurity task force
(PDF) to be established within the law's first 90 days.
The task force will study how other industries combat cyber
threats as well as the technical and other challenges that make the
healthcare industry vulnerable to attacks.

It also calls for a single pipeline of actionable
information on cyber threats that could be accessed in real-time and
at no cost. Access to that information is currently
cost-prohibitive to small and mid-size healthcare organizations, said
Samantha Burch, HIMSS' senior director of congressional affairs.

This is political speak, right? You don't think
he actually believes that? To actually do that, you would need to
know that “Evil Isis Guy” uses the nom-de-guerre “Ronald
McDonald”

… Today, during his year-end press conference,
President Barack Obama attempted to clarify what social data is and
isn’t included in the vetting process. “Our law enforcement and
intelligence professionals are constantly monitoring public posts,
and that’s part of the visa review process,” he said. What the
government doesn’t have access to, he said, are the multitude of
private email, chat, and text platforms that we all use on a daily
basis.

Interesting. Will this cause states to require
commercial licenses for Uber drivers?

An Uber-style business that connects private
pilots with travelers willing to split fuel costs and other expenses
was shot down by a Washington, D.C., court.

The judges on Friday declined Flytenow
Inc.’s request to review a Federal Aviation Administration
ruling that pilots who use the service to find passengers must have
commercial licenses.

Flytenow.com connects members who share expenses
in exchange for flights on a route predetermined by the pilot.
AirPooler Inc.
offers a similar service that was also blocked by the FAA’s rules,
which rejected the idea that cost-sharing is different from a
commercial aviation operation.

Facebook saw an 8 percent increase from 2014, when
it topped the list with more than 118 million users. Another one of
the company's apps, Facebook Messenger, jumped to the third spot in
2015 with more than 96 million users, up from around 53 million last
year.

“For the last half decade, ever since digital
books and e-readers first came on the scene, news headlines have been
at war. “The physical book is dead,” some reports declared,
while others vehemently argued for the eternality
of the printed word. Data, actually, supports the latter
sentiment. At least in the US, sales of physical books have
experienced a renewed surge of interest, according to Nielsen
BookScan, a data provider that collects data on roughly 85% of the
print market. As of early December 2015, Nielsen says, around 571
million paper books have been sold in the country—a modest but
noticeable increase over the 559 million sold in 2014.”

It's scary how closely this matches the way some
of my students write.

Links

About Me

I live in Centennial Colorado. (I'm not actually 100 years old., but I hope to be some day.) I'm an independant computer consultant, specializing in solving problems that traditional IT personnel tend to have difficulty with... That includes everything from inventorying hardware & software, to converting systems & data, to training end-users. I particularly enjoy taking on projects that IT has attempted several times before with no success. I also teach at two local Universities: everything from Introduction to Microcomputers through Business Continuity and Security Management. My background includes IT Audit, Computer Security, and a variety of unique IT projects.